Certifiable Q&A for July 14, 2000

Welcome to Certifiable, your exam prep headquarters. Here you'll find questions about some of the tricky areas that are fair game for the certification exams. Following the questions, you'll find the correct answers and explanatory text. We change the questions biweekly, and you can access previous question sets.

To pass the Windows 2000 MCSE track, you must pass at least one of three design exams. These exams are unlike most other exams in that they are case-study-based, which means they consist of a series of scenarios with a number of questions related to each scenario. To get a feel for the exam layout, take the time to look at a sample exam.

The most important advice for tackling these exams is to read the scenario and questions thoroughly. In fact, I recommend reading through the scenario and all related questions, then rereading the scenario before attempting to answer a question. On the exam, each scenario is organized into subject areas that are presented on separate tabs. The All tab, which contains all the information for the scenario, is very useful for reading through the entire scenario; it is, in fact, the only view I use.

Here is a short sample scenario that tests Active Directory (AD) design issues.

Scenario: Example Cheeses, Ltd., is a leading cheese producer. The company has asked you to architect the deployment of Active Directory within Example Cheeses.

Current IT Environment There are three Windows NT 4.0 domains: RESEARCH, EXAMPLE, and RESOURCE. The research department has its own domain with two-way trust to EXAMPLE. The RESOURCE domain holds all resources for the rest of the company and trusts the EXAMPLE domain.

Office Locations Example Cheeses has headquarters in Chester and facilities in Leicester and Gloucester. The facility in Gloucester consists of two adjacent buildings joined by a wireless network link. In addition, the company has an R&D office in Lancaster.

Help Desk Supervisor "Too much time is spent with basic problems. Most users don't deal with critical data and often forget their passwords, so passwords can't be too complicated. We reinstall 100 computers every month because careless users delete critical files."

Chief Technology Officer (CTO) "The wireless link between the warehouse and office building in Gloucester is heavily used. Our WAN links are unreliable. I want users in all offices to be able to log on, even if all out-of-building connectivity is lost."

Head of R&D "The R&D department is at the forefront of technology and requires its own security settings, including lengthy passwords. Also, we administer ourselves and don't want to be controlled by the administrators in the main company."

Question 1

How many Active Directory sites should your design call for?

1

2

3

4

5

For the correct answer and an explanation, see the Answers section.

Question 2 Which final domain model is best suited to Example Cheeses? (Select all that apply.)

Single domain: example.com

Two forests: example.com and example-research.com

Two domains in one tree: example.com and research.example.com

Three domains on one tree: example.com, resource.example.com, and research.example.com

Answer to Question 1 The correct answer is E—5 AD sites. The company has five separate buildings connected by links unsuitable for client logon traffic. Unreliable WAN links connect the four cities, and the CTO says that the wireless LAN is heavily used. Therefore, you should define a separate site for each building.

AD sites define well-connected network areas, and in the context of directory operations, they affect replication and logon traffic. When a Windows 2000 client looks for a domain controller (e.g., when a user logs on), the client does so using the API function DsGetDcName. If possible, DsGetDcName returns a domain controller in the same site as the client, so defining separate sites for each building means that each logon is authenticated in its own site, if possible.

In addition, AD replication traffic between sites is compressed down to 10 or 15 percent of the size that would be required to replicate the same changes within a site. Compressed data requires more CPU power at each end of the connection to process it, but in this scenario, connectivity between sites is a limiting factor. Replication traffic within sites is uncompressed to save processor cycles, and in this scenario network bandwidth is sufficient. An administrator can also define a schedule for replication between sites (e.g., replication can be configured not to happen during office hours).

Answer to Question 2 The correct answer is C—Two domains in one tree. The business requirement of autonomous security and complex passwords for the R&D department means that R&D needs a separate domain so that members of the domain administrators in the example.com domain don't have administrative access to the research computers. This requirement rules out answer A.

Operating two forests in a single enterprise (answer B) makes little business sense because you lose the single Global Catalog (GC) and can establish only Windows NT 4.0-style trusts between domains. In short, for this organization, the approach in answer B negates much of the point of moving to Win2K.

Using three domains on one tree (answer D) would work, but it isn't the best model. Win2K domains are much more scalable than NT 4.0 domains, so the resource domain can be rolled up into parent domains to save money on hardware, software, and administration.

Answer to Question 3 The correct answer is A, B, C, D, and E—that is, all locations should contain GC servers. At first glance, this question seems to depend on your answer to Question 2, but in fact, it doesn't.

When you have a multiple-domain forest, the authentication process for a user must be able to contact a GC server to determine universal group memberships. The logic behind this concept is that because you can use universal groups to revoke access to resources, universal groups must be processed before a user is let loose on the system (the exception is members of the domain administrators group, who can log on even when no GC server is found).

Because the CTO specified a business requirement of no WAN traffic for logon, each location must have a GC server to be used in the logon process. It is also good practice to have a GC server in all locations in most Active Directory (AD) designs.

When you have a single domain model, the requirement for a GC server to process logons goes away. However, with only one domain, there is virtually no penalty for making every domain controller a GC server, and this approach is the recommended one. Although no extra data needs to be replicated, for a domain controller to respond to GC requests, you must still explicitly make the domain controller a GC server by performing the following steps: